Real-Time Awareness of Threats to Your Critical Resources

With all the news stories about cyber attacks thought to originate in Russia, China and other foreign countries, it can be easy to forget about the devastation caused by insiders—careless or disgruntled employees or opportunistic third-party contractors hired by your IT department and entrusted with your company’s data in order to do their jobs.

Think of Edward Snowden, the former National Security Agency (NSA) contractor who copied and leaked sensitive information. Whether you view Snowden as a heroic whistleblower or a duplicitous traitor is ultimately irrelevant. The fact is, he was given access to highly confidential information without the oversight necessary to keep that information within the confines of the agency.

If it can happen at the NSA, whose very name includes the word “security,” it can happen at any organization.

Could Your Most Sensitive Data Be Vulnerable to an Inside Breach?

In late 2015, Michael Bruemmer of the global information services company Experian discussed findings from their Data Breach Industry Forecast report for 2016. Bruemmer observed, “Whether it’s a true malicious insider, or just employee negligence, 80 percent of the breaches we’ve worked so far in 2015 have been [caused by] employees…and I don’t think that’s going to change.”[1]

And in many cases that forecast has been borne out. Just look at the number of incidents involving private healthcare data. In a recent article on Recode.net, the U.S. Department of Health and Human Services Office for Civil Rights reported, “the Top 5 breaches for the first few months of 2016 didn’t even involve malicious IT hacking. Instead, theft, loss, improper disposal and unauthorized email access or disclosure were behind the largest incidents in 2016.”[2]

Even in incidents involving outside hackers, many can be traced back to individuals who were freely granted access to the company’s privileged data systems. According to Recode, “the network openings that allow outside cyber attackers to burrow in, infect databases and potentially take down an organization’s file servers, overwhelmingly originate with trusted insiders.”

How to Protect Your Mainframe Against Threats Both Outside and In

Protecting your mainframe against data thieves is not as simple as restricting access to a small number of (presumably) trusted individuals. Even a trusted employee can inadvertently make mistakes that can create an opportunity for hackers.

So how does a CIO or CISO monitor their mainframe activity to ensure that those employees, contractors or third-party vendors with privileged access are using it responsibly? In a normal environment, when a programmer or administrator accesses certain critical resources, this action doesn’t automatically throw up a red flag for a security manager, who is likely to think, that’s OK, that person is authorized to do that. This makes it easy for certain events to fly under the radar.

What is needed is a monitoring system that makes sure that those given data privileges do not abuse their authority. This monitoring system would allow CIOs and security managers to identify, for example, when a DB2 database administrator grants access to a third party, accesses a DB2 table that they shouldn’t, or writes a program and puts it in an authorized library that will allow that program to do things that it ought not do. Then the CIO and security manager can quickly take the appropriate measure to stop this activity before real damage results.

This real-time monitoring system needs the capability to watch mainframe activity 24 hours a day, seven days a week. Over the years most organizations have implemented SIEM (Security Information and Event Management) and log management technologies. Companies that rely on the mainframe require similar monitoring technology, and they can find it with Mainframe Event Acquisition System (MEAS™)—a software platform that enables companies to collect, store, report and take action against event data through integration with SIEM.

MEAS affords up-to-the-minute visibility into mainframe events. It can alert you to suspicious activity based on rules and policies you define that create a trigger when a particular security event occurs, such as a password violation. MEAS gives you peace of mind when granting access to sensitive data to employees, contractors and vendors. In the end, what’s more important than that?